Platform
nodejs
Component
serve-static
Fixed in
1.16.1
2.0.1
1.16.0
CVE-2024-43800 describes a cross-site scripting (XSS) vulnerability within the serve-static Node.js module. This vulnerability allows an attacker to potentially execute arbitrary code by manipulating input passed to the response.redirect() function, even after sanitization attempts. The vulnerability affects versions 1.15.0 and earlier, and a patch is available in version 1.16.0.
The core of the vulnerability lies in the improper handling of user-controlled input within the response.redirect() function. Even after sanitization, the input can still be exploited to trigger code execution within the context of the application. A successful attacker could inject malicious scripts that are then executed in the user's browser, potentially leading to session hijacking, data theft, or defacement of the web application. The requirement for the attacker to control the input and for express not to redirect before the template appears adds a layer of complexity, but doesn't negate the risk.
CVE-2024-43800 was publicly disclosed on September 10, 2024. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept exploits are not widely available, but the vulnerability's nature suggests that they could be developed relatively easily. The CVSS score of 5 (Medium) reflects the potential impact and the relatively low complexity of exploitation.
Exploit Status
EPSS
0.92% (76% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-43800 is to upgrade to version 1.16.0 of the serve-static module. This patched version addresses the vulnerability by implementing proper input validation and sanitization. If upgrading is not immediately feasible, a workaround involves rigorously validating all user inputs against an explicit allowlist before passing them to response.redirect(). This ensures that only trusted data is used, preventing the injection of malicious scripts. Thorough testing of the application after implementing any workaround is crucial to confirm its effectiveness.
Update the serve-static dependency to version 1.16.0 or higher. This can be done by running `npm install serve-static@latest` or `yarn upgrade serve-static@latest` in your project. Ensure you test the application after the update to verify there are no compatibility issues.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-43800 is a cross-site scripting (XSS) vulnerability in the serve-static Node.js module, allowing potential code execution via manipulated input to response.redirect().
You are affected if you are using serve-static version 1.15.0 or earlier. Check your project dependencies to determine your version.
Upgrade to serve-static version 1.16.0 or implement strict input validation with an allowlist before using response.redirect().
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited.
Refer to the project's repository or related security advisories for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.